Monitoring Splunk
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How to monitor Splunk changes?

guarisma
Contributor
‎12-09-2019 08:06 AM

Hello,

Looking for a way to monitor certain operational changes in Splunk like:
- A new sourcetype has been created.
- A new Input has been created.
- An input was removed/deleted.
- An Alert or Report was created or deleted.

0 Karma
Reply

skoelpin
SplunkTrust
SplunkTrust
‎12-09-2019 08:22 AM

You should use version control for any conf changes made to your indexers, search heads, deployment servers, etc.. You can also leverage the internal log to answer the alert/report modification

index=_audit

0 Karma
Reply

guarisma
Contributor
‎12-09-2019 09:59 AM

What event will tell me a new index was created in Splunk Cloud?

0 Karma
Reply

skoelpin
SplunkTrust
SplunkTrust
‎12-09-2019 11:00 AM

Yeah, this is available in the audit index too. Please accept the answer if this answered your questions

index=_audit action=indexes_edit

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...